Cherwell application (on-prem)

IAM David Bantz dabantz at
Mon Apr 29 14:02:33 EDT 2019

Yes, my understanding is that Windows client users are authenticated via
their domain login alone and that enabling that access without additional
prompt for credentials was the a "requirement" of our deployment. And yes,
that hinders implementing MFA for the Windows thick clients.


On Mon, Apr 29, 2019 at 9:53 AM Cantor, Scott <cantor.2 at> wrote:

> On 4/29/19, 1:43 PM, "IAM David Bantz" <db at> wrote:
> > 1. Both thick (Windows) clients and web browser interface is supported.
> To support both as seamlessly as possible, our
> > AD team asked that we identify users of the web client with an
> identifier including the Windows domain, like
> > ua\username. This required  ginning up that identifier in
> attribute-resolver.xml
> We support SSO for both thick client and browser, and both use email
> address IDs just fine (not that I'm advocating it, but in practice email
> vs. domain naming is functionally the same, it's likely name based on just
> as good/bad as the other). It's SAML either way. If there's a domain login
> feature for the thick client (SPNEGO), we didn't use it, but that would be
> a probable reason for pushing the domain naming. It's also probably a bad
> choice, since it's a giant pain to support compared to browser-based login,
> and you lose MFA, etc.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list